SharePoint 2013: An exception occurred when trying to establish endpoint for context: Could not load file or assembly...

Problem

Your SharePoint 2013 farm network environment is highly secured.  Network operations pushes through a new GPO one evening having new security configurations.  Next day, you try connecting to your SharePoint 2013 site, and your browser displays HTTP Error 503 Service Unavailable. You try connecting to the farm's Central Administration, and experience the same error.  You check the Application event log of the server hosting the web application, and you see the following:

Log Name:      Application
Source:        Microsoft-SharePoint Products-SharePoint Foundation
Date:          [date/time]
Event ID:      8305
Task Category: Claims Authentication
Level:         Error
Keywords:      
User:          [domain\your account]
Computer:      [machinename]
Description:
An exception occurred when trying to establish endpoint for context: 
Could not load file or assembly 'Microsoft.IdentityModel.Extensions, 
Version=2.0.0.0, Culture=neutral, PublicKeyToken=69c3241e6f0468ca' or 
one of its dependencies. Either a required impersonation level was 
not provided, or the provided impersonation level is invalid. 
(Exception from HRESULT: 0x80070542).
Event Xml:
.
.
.

Troubleshooting

1.  Check Services for SharePoint 2013 services
• Results: SharePoint Administration service running; Claims to Windows Token Service (C2WTS) disabled; other SP services appropriately configured and running.
2. Started C2WTS, then checked site.
• Result: still experience 503 error.
3. Checked IIS Application pools for SharePoint web applications and and services.
• Results: these application pools stopped: search, main site, SharePoint Central Administration V4, SecurityTokenServiceApplicationPool, and some other app services; other SharePoint app pools are started.
4. Started SharePoint Central Administration V4, SecurityTokenServiceApplicationPool, then checked site.
• Results: still experienced 503 error; additionally, SecurityTokenServiceApplicationPool stopped again.  Re-attempts also failed.
5. Granted main site (web application) application pool identity Logon as batch local right, then performed gpupdate /force.  Then connected to main site and then CA.
• Result: connecting to main site now gets HTTP Error 500.  Central administration backup.
6. Granted main site (web application) application pool identity Impersonate a client at authentication local right.  Performed gpupdate /force.  Then connected to main site and then CA.
• Results:  Main site now up, but CA now down and returns "Unexpected error" message in browser.
7. Granted Central Administration (web application) application pool identity Impersonate a client at authentication local right.  Performed gpupdate /force.  Then connected to main site and then CA.
• Results: Main site still up and CA still down with same error message.
8. Recycled and then restarted Central Administration (web application) application pool, and then restarted IIS.  Then connected to main site and then CA.
• Results: both main and CA now up.

Solution

1. Have the application pool identities for all farm web applications configured with Logon as batch and Impersonate a client at authentication local rights.
2. After granting the identities these rights, restart the application pools.

References

• SharePoint 2013 – ‘HTTP 500 Internal Server Error’ while trying to browse to a SharePoint site
• An exception occurred when trying to issue security token: The HTTP service located at
• SharePoint 2013 - Application Server Job Failed (Event ID 6481)
• Sharepoint Central Administration - Site comes up with "Unexpected Error

Notes

• Could not have resolved this without the assistance of sysadmins.
• Application pool identities must have Logon as Batch and Impersonate a client after authentication local rights.
• The above troubleshooting steps are not complete but are to the best of memory and may be missing some quick steps.